WP Engine and PCI Compliance
The information provided in this FAQ is meant to be helpful to you, but please note that WP Engine is not qualified to assess your compliance with the standards discussed here or any other legal obligations you may have. You are responsible for understanding the risks and requirements related to accepting online payments and for seeking third-party experts should you require any assistance.
The payment card industry (“PCI” for short) is the global collective of businesses associated with accepting and processing credit and debit card payments. The PCI Security Standards Council (“PCI SSC”) is an industry group, comprised of American Express, Discover Financial Services, JCB, MasterCard, and Visa, which has established the PCI Data Security Standard (“PCI DSS”), the most recent version of which was released in April 2016. PCI DSS provides a set of consistent security measures for anyone processing credit card payments or otherwise managing cardholder data. More information can be found on the PCI SSC web site.
Who needs to be compliant?
PCI DSS is an industry standard that applies to anyone who stores, processes, or transmits cardholder data. If you are licensed by or accept payments for or on behalf of any of the participating members of PCI SSC, you must comply with the standards they publish. Each member is individually responsible for enforcement and may have different requirements for proving compliance, though traditionally they all follow the published standard.
Is WP Engine PCI compliant?
Yes. For the payment-related data we collect from you, we are fully compliant with PCI DSS v3.2. This is because we don’t handle cardholder data and our Acceptable Use Policy prohibits you from doing the same, we have no plans to obtain a PCI Report-on-Compliance.
This does not mean you’re in compliance simply by hosting with us, however. We don’t operate your web site or interact with your end users, and you are responsible for the way in which you collect, store, or process any cardholder data. The good news is that compliance isn’t hard, as long as you understand the requirements.
Ok, so how do I comply?
Since PCI DSS applies to “entities that store, process, and/or transmit cardholder data,” the easiest way to address the standard is to simply avoid storing, processing, or transmitting cardholder data. If you host an e-commerce site, there are third-party payment processors who can accept and process credit card payments on your behalf. Some examples include Authorize.net, Braintree, Payeezy, PayPal Pro, and Stripe.
Do I have to use a third-party payment processor?
Outsourcing your payment processing is the easiest path to meeting your PCI DSS requirements. It is also the only choice that is compatible with our Services.
WP Engine’s Acceptable Use Policy prohibits you from using our Services to store, process, or transmit cardholder data. If you have any further questions, we are more than happy to talk to you and/or your third-party developer, auditor, or assessor.
If I take these steps, will my site pass a PCI audit/scan?
If you are providing e-commerce services and choose to include your WP Engine site in your PCI vulnerability scanning scope, please be aware that scan results may not be correct as we run customized versions of various components.
In any case, we suggest you confirm with your PCI QSA whether your WP Engine site should be included or not as they may not be clear on how your WP Engine site works.